From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <serpiph@nikiet.ru>
From: Epiphanov Sergei <serpiph@nikiet.ru>
To: Sisyphus <sisyphus@altlinux.ru>
Subject: Re: [sisyphus] Re: Q: perl security, CPAN security
Date: Mon, 27 Jun 2005 17:14:34 +0400
User-Agent: KMail/1.8.1
References: <20050626090644.GB31585@solemn.turbinal.org>
	<200506271613.57296.serpiph@nikiet.ru>
	<20050627125816.GM31585@solemn.turbinal.org>
In-Reply-To: <20050627125816.GM31585@solemn.turbinal.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="koi8-r"
Content-Disposition: inline
Message-Id: <200506271714.34636.serpiph@nikiet.ru>
Content-Transfer-Encoding: quoted-printable
X-BeenThere: sisyphus@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ALT Linux Sisyphus discussion list <sisyphus@altlinux.ru>
List-Id: ALT Linux Sisyphus discussion list <sisyphus.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/sisyphus>
List-Post: <mailto:sisyphus@altlinux.ru>
List-Help: <mailto:sisyphus-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2005 13:13:10 -0000
Archived-At: <http://lore.altlinux.org/sisyphus/200506271714.34636.serpiph@nikiet.ru/>
List-Archive: <http://lore.altlinux.org/sisyphus/>

=F7 =D3=CF=CF=C2=DD=C5=CE=C9=C9 =CF=D4 27 =E9=C0=CE=D8 2005 16:58 Alexey =
Tourbin =CE=C1=D0=C9=D3=C1=CC:
> On Mon, Jun 27, 2005 at 04:13:57PM +0400, Epiphanov Sergei wrote:
> > > =E1 =D5 =CB=CF=C7=CF-=D4=CF, =CE=C1=CF=C2=CF=D2=CF=D4, umask 077 =C4=
=CC=D1 root.  =F3=D4=C1=CC=CF =C2=D9=D4=D8, =D0=CF=D3=CC=C5 =D4=C1=CB=CF=CA
> > > =D5=D3=D4=C1=CE=CF=D7=CB=C9 =CE=C9=CB=D4=CF =CE=C5 =D0=CF=CC=D5=DE=C9=
=D4 =C4=CF=D3=D4=D5=D0 =CB =CD=CF=C4=D5=CC=D1=CD, =C5=D3=CC=C9 =D3=D0=C5=C3=
=C9=C1=CC=D8=CE=CF =CE=C5
> > > =C4=A3=D2=C7=C1=D4=D8=D3=D1.
> >
> > =F3=D7=CF=C5=CF=C2=D2=C1=DA=CE=CF. :) =EF=C2=D9=DE=CE=CF =D2=C1=DA =C9=
=C4=A3=D4 =D2=C1=C2=CF=D4=C1 =CF=D4 root, =D4=CF =D6=C4=A3=DB=D8 =D5 =CE=C5=
=C7=CF 022. =F4=CF=D4
> > =D6=C5 =D5=D2=CF=D7=C5=CE=D8 =C2=C5=DA=CF=D0=C1=D3=CE=CF=D3=D4=C9 4 =D7=
 Mandrake =D0=D2=C5=C4=D0=CF=CC=C1=C7=C1=C5=D4 =D5=D3=D4=C1=CE=CF=D7=CB=D5=
 022 =C4=CC=D1 root
> > =C9 077 =C4=CC=D1 =CE=C5-root =C9 =D7 =DC=D4=CF=CD =C5=D3=D4=D8 =D3=D7=
=CF=D1 =CC=CF=C7=C9=CB=C1.
>
> =EB=C1=CB=C1=D1 =D7 =DC=D4=CF=CD =CC=CF=C7=C9=CB=C1?  =FE=C5=CD =DC=D4=CF=
 =CC=D5=DE=DB=C5 chmod 0700 ~ ?

=F0=CF =C2=CF=CC=D8=DB=C5=CA =DE=C1=D3=D4=C9 =D0=CF=C4 root =D0=D2=C9=C8=CF=
=C4=C9=D4=D3=D1 =CB=CF=D0=C9=D2=CF=D7=C1=D4=D8 =C6=C1=CA=CC=D9 =C9=DA =CC=
=CF=CB=C1=CC=D8=CE=CF=C7=CF =CB=C1=D4=C1=CC=CF=C7=C1=20
=D7 =D3=C9=D3=D4=C5=CD=CE=D9=CA. =F0=D2=C9 077 =C4=CC=D1 root =D3=CF=DA=C4=
=C1=D7=C1=C5=CD=D9=CA =C6=C1=CA=CC =C2=D5=C4=C5=D4 =CE=C5=C4=CF=D3=D4=D5=D0=
=C5=CE =C4=CC=D1 =DE=D4=C5=CE=C9=D1=20
=CE=C9=CB=CF=CD=D5, =CB=D2=CF=CD=C5 root. =F0=D2=C9 022 - =C4=CF=D3=D4=D5=
=D0=C5=CE =CE=C1 =DE=D4=C5=CE=C9=C5 (=C9, =D7=CF=DA=CD=CF=D6=CE=CF, =CE=C1=
=20
=C9=D3=D0=CF=CC=CE=C5=CE=C9=C5). =EC=C9=DE=CE=CF =CD=CF=A3 =CD=CE=C5=CE=C9=
=C5. =E5=D3=CC=C9 =DE=C5=C7=CF =CE=C5 =D7=C9=D6=D5 - =D0=CF=C4=D3=CB=C1=D6=
=C9=D4=C5. =E2=C5=DA =CF=C2=C9=C4 =D3=20
=CD=CF=C5=CA =D3=D4=CF=D2=CF=CE=D9.

> > # ./vmware-config.pl
> > Insecure $ENV{ENV} while running with -T switch at ./vmware-config.pl
> > line 987.
> > #
>
> =E1 =DE=D4=CF =D4=C1=CD =CE=C1 =D3=D4=D2=CF=DE=CB=C5 987?  =E9 =DE=D4=CF=
 =D4=C1=CD =C9=CC=C9 =D5 =D7=C1=D3 =D7 $ENV{ENV}?

=EE=C5 =D5 =CD=C5=CE=D1, =D5 VMWare. =EB=D5=D3=CF=CB =C9=DA =D0=D2=CF=C7=D2=
=C1=CD=CD=D9 vmware-config.pl:

...
# Execute the command passed as an argument
# _without_ interpolating variables (Perl does it by default)
sub direct_command {
  return `$_[0]`;
}
...

> > =E4=C1 =F7=C1=D3 =D4=CF=C7=C4=C1 =D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=C9=
 VmWare =D0=CF=D2=D7=D5=D4 =D3=D2=C1=DA=D5 =D6=C5 =C9 =D5=CA=C4=D5=D4 =CE=
=C1 =C4=D2=D5=C7=CF=CA
> > =C4=C9=D3=D4=D2=C9=C2=D5=D4=C9=D7. =E1 VMWare =D7=D2=D1=C4 =CC=C9 =D0=
=D2=C9=D3=CC=D5=DB=C1=C5=D4=D3=D1 =D4=CF=CC=D8=CB=CF =CB ALTLinux.
>
> =E4=C9=CB=D4=C1=D4=D5=D2=C1 =D0=D2=CF=CC=C5=D4=C1=D2=C9=C1=D4=C1...

=EB=C1=CB=C1=D1 =D5=D6 =C4=C9=CB=D4=C1=D4=D5=D2=C1. =EE=C1 =C4=C1=CE=CE=D9=
=CA =CD=CF=CD=C5=CE=D4 =DE=D4=CF=C2=D9 =CE=C1=D3=D4=D2=CF=C9=D4=D8 VMWare=
, =CE=C5=CF=C2=C8=CF=C4=C9=CD=CF =D5=D6=C5=20
=D3=C4=C5=CC=C1=D4=D8 =CE=C5=D3=CB=CF=CC=D8=CB=CF =CE=C5=D4=D2=C9=D7=C9=C1=
=CC=D8=CE=D9=C8 =C4=D7=C9=D6=C5=CE=C9=CA (=CF=C4=CE=CF =C9=DA-=DA=C1 =CF=DB=
=C9=C2=CB=C9 =D5=D3=D4=C1=CE=CF=D7=DD=C9=CB=C1,=20
=C4=D2=D5=C7=CF=C5 =C9=DA-=DA=C1 =CF=DB=C9=C2=CB=C9 Makefile =CD=CF=C4=D5=
=CC=C5=CA vmnet-only =C9 vmmon-only). =E5=D3=CC=C9 =C5=DD=A3 =C9=20
=DC=D4=CF =C4=CF=C2=C1=D7=C9=D4=D3=D1... =E4=C1, =C1 =CB=C1=CB =CE=C1 =DC=
=D4=CF =C4=CF=D0=CF=CC=CE=C5=CE=C9=C5 =CF=D4=CE=C5=D3=D5=D4=D3=D1 aclocal=
 =C9 automake?

--=20
=F3 =D5=D7=C1=D6=C5=CE=C9=C5=CD, =E5=D0=C9=C6=C1=CE=CF=D7 =F3=C5=D2=C7=C5=
=CA